Packet-Marking Scheme for DDoS Attack Prevention

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Packet Score: Statistics-based Overload Control against Distributed Denial-of- service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
04/12/2001ecs289k, spring ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California,
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Seminar Presentation IP Spoofing Attack, detection and effective method of prevention. Md. Sajan Sana Ansari Id: /8/20151.
Pi : A Path Identification Mechanism to Defend against DDos Attacks.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
By Sylvia Ratnasamy, Andrey Ermolinskiy, Scott Shenker Presented by Fei Jia Revisiting IP Multicast.
Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Benchmarks and Metrics Traceback Methods  Packet Marking  Hash-based Conclusion.
A Divide-and-Conquer Strategy for Thwarting DDoS Attacks Randolph Marchany (VT) Jung-Min Park (VT) Ruiliang Chen (VT) Presented by Panoat Chuchaisri.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
1 Defense Strategies for DDoS Attacks Steven M. Bellovin
By Rod Lykins.  Brief DDoS Introduction  Packet Marking Overview  Other DDoS Defense Mechanisms.
DoS/DDoS attack and defense
Efficient AS DoS Traceback (Autonomous System) Mohammed Alenezi, Martin J Reed Computer Applications Technology (ICCAT), 2013 張業正
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Spoofing Prevention Method Srikanth T.S.S. Sri Lakshmi Ramya S.
Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Network Support For IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Slides originally byTeng.
Jessica Kornblum DSL Seminar Nov. 2, 2001 Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio,
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
“Practical Network Support for IP Traceback”
Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
Defending Against DDoS
© 2002, Cisco Systems, Inc. All rights reserved.
Defending Against DDoS
Preventing Internet Denial-of-Service with Capabilities
Tracing Cyber Attacks Areej Al-Bataineh
Network Support For IP Traceback
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
Detect and Prevent Rogue Traffic in Mobile Ad Hoc Networks
DDoS Attack and Its Defense
Presentation transcript:

Packet-Marking Scheme for DDoS Attack Prevention K. Stefanidis and D. N. Serpanos University of Patras

Introduction DDoS attacks thrive… Detection works most of the times They cannot be stopped because the sources of the attack are hard to find Unlike most hacking attempts, no response from the victim is required Thus, the source IP address of the attack packets is almost always spoofed Proposed Solutions Ingress filtering Logging Link testing Packet Marking

Goals and Assumptions We need to find a way to filter the packets that are part of a DDoS attack Note: Source IP address can be spoofed We need to find a way to distinguish legitimate from attack packets No additional information except from the packet’s contents should be required No additional packets should be required Attacker may generate any packet Attacker knows that he is being traced Attacker knows the traceback scheme Routing is stable most of the time Routers are not compromised Routers are CPU and Memory limited

Marking Scheme - Overview Packets are marked by all the routers along their path Upon arrival, packets carry a distinct mark that denotes their path A path and a distance field compose the mark Routers <XOR> part of their IP address with existing path field They also increase distance field by one

Marking Procedure We overload part of the fragmentation fields of the IP header The first router along the path initializes the marking The other routers inject their information Scheme is robust against false markings

Filtering and Traceback Detection/Filtering system can use packet markings instead of source IP address for real time filtering Same markings denote same source network What about different paths? Traceback Use the inverse marking procedure to trace the sources of those packets Recursively “visit” upstream routers until you find a source Requires a map of the upstream routers Computational intensive – Can be done “post mortem”

Analysis - Overheads The marking procedure is simple and stateless It produces no bandwidth overhead The amount of information that has to be stored by the victim is limited One 17bit marking per attack source An updated map of upstream routers (< 10 MB)

Analysis - Faults No false negative probability is introduced False positives exist R is the number of edge routers A is the number of attacking hosts n is the number of bits of the marking

Conclusions and Further Work Identifying the true source of incoming packets is the key problem that has to be solved in order to effectively stop DDoS attacks This marking scheme enables Per packet filtering of attack packets Effective traceback Unlike existing marking schemes It is robust against false markings False positives do not rise as attacking hosts increase No additional packets are required for filtering and traceback purposes

Thank you… Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.